Tuesday, April 23, 2013

I run into inconsistent network configurations wherever I go, from customers who just lets everything live in the native VLAN to ones who horrendously over-complicate things. For the majority of Cisco deployments I have a simple set of configuration standards I adhere to. You will always get corner-case requiring special configurations, but I find that the below works very well for most use cases.

Standard Access Port Configuration

This configuration is applied to ports connecting to standard end-user equipment, like PC’s, printers etc.

The first two lines are self-explanatory, it’s an access port living in vlan 5. Portfast is something we configure on an access port, which tells STP not to bother and just put the port in a forwarding state, as opposed to taking time to go through the listening and learning states.

BPDU’s are basically STP messages exchanged between switches, therefore a BPDU is not something we expect to see on a normal access-port. BPDUguard tells the switch that if it receives a BPDU (for example because someone connected an unauthorized switch), it should shut the port down. Finally BPDUFilter tells the switch to not send or receive BPDU’s on ports configured as portfast.

ESXi Host Port Configuration

ESXi uses internal vSwitches and PortGroups which allows for VM’s running on one host to reside in different VLANs

Fairly straightforward, we configure our link as a trunk which carries vlan 5 to 10 and 200. We then tell the switch that even though it’s a trunk we’re no connecting to another switch so no need to worry about STP on the port. Lastly bpduguard protects us against incorrect cabling – if the port receives a BPDU (which will happen if you inadvertently hook it up to another switch) it will shut down.

Standard Trunk Port Configuration

In the Cisco world a trunked link is a link that carries multiple VLANs. Not to be confused with link aggregation, which in Cisco parlance is called an Port-Channel.

Both sides of the trunk needs to have the same default VLAN, by default the native VLAN is VLAN 1, but in all but the simplest deployments you will have to change this. We can also do VLAN pruning on our trunks, that is only carry certain VLANs accross our trunk.

Port-Channel Configuration

It is possible to aggregate multiple links between two switches and treat them as a single link. This gives us link redundancy and bandwidth increases. As a rule we do not use LACP to ensure compatibility with, for example, vSphere vSwitches.

Once again simplicity is the name of the game. We create the interface, set the encapsulation (not necessary, strictly speaking since Cisco defaults to dot1q) and set it as a trunk. Of course it does not need to be a trunk link, this is optional.

About Me

About This Blog

This blog serves 2 purposes. Firstly, I want to share information with other IT pros about the technologies we work with and how to solve problems we often face. I work with technologies from the desktop to the data center, Active Directory, System Center, Exchange, Hyper-V, VMware, Networking and Storage.

Less altruistically, I use my blog as a reference. There's so much to learn and remember in our field that it's impossible to keep up. By blogging, I have a notebook that I can access from anywhere. It has made me look much smarter than I probably am on many occasions.